This single statement from the FDA clarifies a policy position many in the industry have held, that it is too costly and
takes too much time getting approval to update the security
of a legacy medical device. This position can no longer be
taken, and security improvements can be made without an
overly burdensome and timely process attached.

As stated earlier, most medical device security challenges
aren’t technical in nature. They have more to do with decisions
and policies being made in the boardroom than the decisions
being made by security engineers. Many security engineers know
what actions need to be taken to improve the security of the
devices they work on. However, getting the needed approval to
make these important changes is challenging. I was recently told
by a security engineer at a major medical device company that
it takes nearly a miracle to get approval to update security on a
medical device that has already gone through the FDA approval.

This is true even if the update significantly improves the security
of the device. Should these types of policy restrictions really be
in place, or do they actually create a larger risk for the patients
and doctors who will ultimately be using these devices?

Today’s security landscape requires new mindsets. Organi-zations can prioritize security as a business advantage whereinvestments today will yield business opportunities tomor-row, rather than being left to pick up the pieces after an inci-dent compels change. Security can be a marketing advantage,and innovative companies will take the long view, rather thanviewing security as a cost center.

With many healthcare organizations adding security provisions in their procurement processes, device manufacturers
have financial incentives to prioritize security now. This has
been made clearer by Mayo Clinic’s comments on the FDA
draft guidance where Mayo Clinic has taken a strong position
in asking FDA to make its guidelines enforceable, in order to
spur security adoption. Investments made today can help prevent security breaches of tomorrow, the types of adverse events
that could lead to enhanced regulatory measures and a lack of
confidence among device purchasers.

Taking an innovative approach toward security policies
will help advance security adoption and make sure medical
devices meet patient and provider privacy needs now and in
the future. Manufacturers, healthcare providers, and patients
will all benefit from more flexible policies and processes for
updating security on medical devices. MDT